Conducting a HIPAA Risk Assessment
The core of any effective HIPAA compliance program is the development of a risk assessment and management process (45 C.F.R. § 164.308(a)(1)(ii)(A)&(B)). Risk assessment is the process of identifying, estimating, and prioritizing information related to organizational risks (NIST Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments, Section 2.3, September 2012). There is no single method to perform risk assessment; however, the effective risk assessment and management process should include at least the following steps: inventory, flow, scope, threats/vulnerabilities, likelihood, impact, risk, and response.
For HIPAA compliance, the inventory should focus on identification of all of the locations where protected health information (PHI) is stored or transmitted. This usually begins with the servers that store the electronic medical record or practice management software, and should expand to include all other ancillary storage of protected health information, such as email systems, Microsoft Office, back-up drives, or laptop computers.
The risk assessment should next diagram the flow of information through the organization. For HIPAA compliance, this flow should track the movement of PHI in and out of the organization.
Not every risk assessment must be comprehensive. For example, a risk assessment may focus on HIPAA implications related to the implementation of an electronic medical record. Where the risk assessment is narrower in scope, the scope of the assessment to be performed should be clearly defined and communicated in the documentation.
After information and assets have been inventoried, data flow has been mapped, and scope has been defined, the risk assessment should identify potential threats and vulnerabilities relevant to the organization.
A threat is the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. A vulnerability is a flaw or weakness in system procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a breach or a violation (NIST Special Publication 800-30, Revision 1, Guide for Conducting Risk Assessments, Section 2.3.1, September 2012).
To determine potential threats and vulnerabilities, the organization can consider information such as transmittals, alerts, or relevant guidance from regulatory agencies or payers; recent audit results or compliance investigations; coding or regulatory changes; and other industry guidance. The more specific the organization is in identifying threats and vulnerabilities, the more specific the risk assessment will be.
The end product of any risk assessment is the determination of the level of risk associated with each threat and vulnerability and the overall risk for the organization. A risk is the extent to which the organization is threatened by a particular event considering:
- the probability that a particular threat will exercise a particular vulnerability, and
- the resulting impact if this should occur.
There are different methodologies to calculate the level of risk, and the organization should document the method used. For example, what factors were considered in determining the likelihood and probability? What matrix was used to convert the likelihood and probability combination into a risk?
For each identified risk, the organization should document potential options evaluated for response, the option selected, the reason that option was determined to be appropriate, and the plan for implementation. This risk management plan can then be integrated into future assessments to evaluate the effectiveness of each response.
If implemented as a continual process within the organization, risk assessment and management can provide the structure necessary for the organization’s compliance program to constantly evolve and respond to industry changes.